Allow for custom_iam_policy_arns that are unknown during terraform apply

[thakurchander]

Describe the Bug

Getting below mentioned error:

╷
│ Error: Invalid for_each argument
│
│ on .terraform\modules\data_science_lambda.data_science_lambda\iam-role.tf line 89, in resource "aws_iam_role_policy_attachment" "custom":
│ 89: for_each = local.enabled ? local.custom_iam_policy_arns_map : {}
│ ├────────────────
│ │ local.custom_iam_policy_arns_map will be known only after apply
│ │ local.enabled is true
│
│ The "for_each" map includes keys derived from resource attributes that
│ cannot be determined until apply, and so Terraform cannot determine the
│ full set of keys that will identify the instances of this resource.
│
│ When working with unknown values in for_each, it's better to define the map
│ keys statically in your configuration and place apply-time results only in
│ the map values.
│
│ Alternatively, you could use the -target planning option to first apply
│ only the resources that the for_each value depends on, and then apply a
│ second time to fully converge.
╵

=====================================================

Expected Behavior

Policy should be created and alingned with Lambda role at runtime along with AWS Lambda function

Steps to Reproduce

Sample Code:

locals {
enabled = module.this.enabled
custom_iam_policy_arns = [ aws_iam_policy.custom_s3_policy.arn ]
s3_lambda_environment = var.abc_lambda_env == null ? null : { variables = var.abc_lambda_env }
}

data "aws_iam_policy_document" "custom_s3_policy" {
version = "2012-10-17"

statement {
actions = [
"s3:ListBucket"
]
resources = [
"arn:aws:s3:::${data.terraform_remote_state.abc_bucket_id.outputs.bucket_id}"
]
}

statement {
actions = [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecrets",
"secretsmanager:ListSecretVersionIds"
]
resources = [
"*"
]
}
}

resource "aws_iam_policy" "custom_s3_policy" {
name = "${module.this.id}-access-policy"
description = "Custom policy to allow access to one S3 bucket only."
policy = data.aws_iam_policy_document.custom_s3_policy.json
tags = module.this.tags
}

data "terraform_remote_state" "abc_bucket_id" {
backend = "s3"

config = {
bucket = var.abc_tfstate_bucket_name
key = var.abc_s3_bucket_key
region = "XXX"
}
}

module "abc_lambda" {
source = "cloudposse/lambda-function/aws"
version = "0.5.5"

enabled = true
function_name = "${module.this.id}"
description = "Lambda test."
s3_bucket = var.s3_lambda_s3_bucket
s3_key = var.s3_lambda_s3_key
runtime = var.s3_lambda_runtime
handler = var.s3_lambda_handler
lambda_environment = local.s3_lambda_environment
architectures = ["x86_64"]
memory_size = var.s3_lambda_memory_size
ephemeral_storage_size = var.s3_lambda_storage_size
timeout = var.s3_lambda_timeout
custom_iam_policy_arns = local.custom_iam_policy_arns
context = module.this.context
vpc_config = var.abc_lambda_vpc_config
}

resource "aws_lambda_permission" "allow_s3" {
statement_id = "AllowExecutionFromS3"
action = "lambda:InvokeFunction"
function_name = module.abc_lambda.function_name
principal = "s3.amazonaws.com"
source_arn = data.terraform_remote_state.abc_bucket_id.outputs.bucket_arn
}

Screenshots

No response

Environment

No response

Additional Context

No response

[rorynolan]

I have this issue too. The workaround is to a aws_iam_role_policy_attachment on the module.x.role_name but I'd love if they fixed this.